Provide useful messages during cert validation

When the certificate validation was replaced, some error messages
were omitted (like "Peer's certificate expired."). Bring these back.

https://pagure.io/freeipa/issue/6945

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

ipapython/certdb.py

@@ -52,6 +52,8 @@ CA_NICKNAME_FMT = "%s IPA CA"
 
 NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
 
+BAD_USAGE_ERR = 'Certificate key usage inadequate for attempted operation.'
+
 
 def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
     return format % realm
@@ -547,9 +549,15 @@ class NSSDatabase(object):
         cert = x509.load_certificate(cert, x509.DER)
 
         try:
-            self.run_certutil(['-V', '-n', nickname, '-u', 'V'])
+            self.run_certutil(['-V', '-n', nickname, '-u', 'V'],
-        except ipautil.CalledProcessError:
+                              capture_output=True)
-            raise ValueError('invalid for a SSL server')
+        except ipautil.CalledProcessError as e:
+            # certutil output in case of error is
+            # 'certutil: certificate is invalid: <ERROR_STRING>\n'
+            msg = e.output.split(': ')[2].strip()
+            if msg == BAD_USAGE_ERR:
+                msg = 'invalid for a SSL server.'
+            raise ValueError(msg)
 
         try:
             x509.match_hostname(cert, hostname)
@@ -573,6 +581,12 @@ class NSSDatabase(object):
             raise ValueError("not a CA certificate")
 
         try:
-            self.run_certutil(['-V', '-n', nickname, '-u', 'L'])
+            self.run_certutil(['-V', '-n', nickname, '-u', 'L'],
-        except ipautil.CalledProcessError:
+                              capture_output=True)
-            raise ValueError('invalid for a CA')
+        except ipautil.CalledProcessError as e:
+            # certutil output in case of error is
+            # 'certutil: certificate is invalid: <ERROR_STRING>\n'
+            msg = e.output.split(': ')[2].strip()
+            if msg == BAD_USAGE_ERR:
+                msg = 'invalid for a CA.'
+            raise ValueError(msg)

ipatests/test_integration/test_caless.py

@@ -38,6 +38,8 @@ _DEFAULT = object()
 
 assert_error = tasks.assert_error
 
+CERT_EXPIRED_MSG = "Peer's Certificate has expired."
+
 
 def get_install_stdin(cert_passwords=()):
     lines = [
@@ -495,9 +497,8 @@ class TestServerInstall(CALessBase):
         result = self.install_server(http_pkcs12='http.p12',
                                      dirsrv_pkcs12='dirsrv.p12')
         assert_error(result,
-                     'The server certificate in http.p12 is not valid: '
+                     'The server certificate in http.p12 is not valid: {err}'
-                     "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
+                     .format(err=CERT_EXPIRED_MSG))
-                     'expired.')
 
     @server_install_teardown
     def test_expired_ds(self):
@@ -511,9 +512,8 @@ class TestServerInstall(CALessBase):
         result = self.install_server(http_pkcs12='http.p12',
                                      dirsrv_pkcs12='dirsrv.p12')
         assert_error(result,
-                     'The server certificate in dirsrv.p12 is not valid: '
+                     'The server certificate in dirsrv.p12 is not valid: {err}'
-                     "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
+                     .format(err=CERT_EXPIRED_MSG))
-                     'expired.')
 
     @server_install_teardown
     def test_http_bad_usage(self):
@@ -884,9 +884,8 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert_error(result,
-                     'The server certificate in http.p12 is not valid: '
+                     'The server certificate in http.p12 is not valid: {err}'
-                     "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
+                     .format(err=CERT_EXPIRED_MSG))
-                     'expired.')
 
     @replica_install_teardown
     def test_expired_ds(self):
@@ -898,9 +897,8 @@ class TestReplicaInstall(CALessBase):
         result = self.prepare_replica(http_pkcs12='http.p12',
                                       dirsrv_pkcs12='dirsrv.p12')
         assert_error(result,
-                     'The server certificate in http.p12 is not valid: '
+                     'The server certificate in http.p12 is not valid: {err}'
-                     "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
+                     .format(err=CERT_EXPIRED_MSG))
-                     'expired.')
 
     @replica_install_teardown
     def test_http_bad_usage(self):
@@ -1311,18 +1309,16 @@ class TestCertinstall(CALessBase):
 
         result = self.certinstall('w', 'ca1/server-expired')
         assert_error(result,
-                     'The server certificate in server.p12 is not valid: '
+                     'The server certificate in server.p12 is not valid: {err}'
-                     "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
+                     .format(err=CERT_EXPIRED_MSG))
-                     'expired.')
 
     def test_expired_ds(self):
         "Install new expired DS certificate"
 
         result = self.certinstall('d', 'ca1/server-expired')
         assert_error(result,
-                     'The server certificate in server.p12 is not valid: '
+                     'The server certificate in server.p12 is not valid: {err}'
-                     "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
+                     .format(err=CERT_EXPIRED_MSG))
-                     'expired.')
 
     def test_http_bad_usage(self):
         "Install new HTTP certificate with invalid key usage"